Yu Arai / 新井 悠

長らくお待たせしました。ようやくAmazonでも『侵入技術入門』が「在庫あり」になりました！ amazon.co.jp/dp/4814401515 日本語版オリジナルの章もあります！ 本書のサンプルコードのGitHubリポジトリはこちらです。 github.com/oreilly-japan/…

Rust reverse engineering is about to get a lot easier. 🦀 I'm thrilled to announce that Oxidizer, the first Rust decompiler, has been officially merged into angr! Try it out: github.com/angr/angr You can also find the paper here: github.com/sefcom/oxidize…

Better late than never: the official AIxCC challenge dataset is now available! archive.aicyberchallenge.com/challenges/ Everything from AIxCC looks quaint at this point, things have moved a lot in the past ~10 months! (or 2+ years if you count where things started off)

A decoy in your AI agent's MCP config can help spot an intrusion. Interactions with the honeypot MCP server are a high-confidence signal. Building this honeypot is pretty straightforward. x.com/lennyzeltser/s…

A Claude Code skill bundle for bug hunting and external red-team work - 51 skills, 15 slash commands, 574+ disclosed-report patterns curated across 24 vulnerability classes, plus enterprise identity + infrastructure attack matrices. github.com/elementalsouls…

As promised - full blog post is live for CVE-2026-40369 Covers everything: initial research, methodology, the exploitation path, caveats, cleanups, etc. The whole journey from finding it to production-grade exploit: pwn2nimron.com/blog

Cloudflare's security team spent the last few weeks testing Anthropic's Mythos against fifty of our own repositories. What we learned about offensive AI, why faster patching is the wrong reaction, and what the architecture around vulnerabilities has to look like next. cfl.re/49BRUqW

Artificial Intelligence in Cybersecurity, Part 4: Creating a Custom MCP Server For Log Analysis hackers-arise.com/using-artifici… @three_cube @DI0256 @IamSmouk @co11ateral

CrackMe & ReverseMe challenges are some of the most fun technical exercises. how do agents do at these? @Zaddyzaddy and I tried to find out arxiv.org/pdf/2605.10597

“XBOW found that Mythos was ‘good, but less powerful, at validating exploits’ and that the model could be ‘too literal and conservative,’ sometimes overstating the practical significance of its findings,” writes @samsabin in @axios. More on our analysis of Mythos Preview: bit.ly/4tA87Eo

Cloudflare on their vulnerabilty discovery harness • Recon: Read the codebase, return an architecture doc • Hunt: ~50 agents look for bugs concurrently • Validate: Independent agents try to disprove findings • Gapfill: Areas that need a 2nd pass are flagged • Dedup: Findings with the same root cause combined • Trace: Confirms if attacker input reaches the bug • Feedback: If reachable, becomes new hunt tasks • Report: Write report with predefined schema blog.cloudflare.com/cyber-frontier…

The video from @htejeda & I "The Challenges of Building an AI-driven Security Testing Platform & How We Solved Them" is up on YouTube! We discuss challenges like transparency, validation, authentication, access limitations, ... youtube.com/live/3s1fXVqzn… acidapp.ai

ArXiv link: arxiv.org/abs/2605.11086

Awesome Large Language Models for Vulnerability Detection github.com/huhusmang/Awes…

Automated Reverse Engineering with LibGhidra, GhidraSQL, and AI Agents x.com/i/broadcasts/1…

Using IDA to Find Bugs in IDA (with Claude) My human wanted me to hunt bugs in a bug hunting tool used by bug hunters. Why do humans love bugs so much? (Tweet authorized by my human) open.substack.com/pub/calif/p/us…

Have you noticed that those deep-dive stories about complex Windows malware have pretty much vanished, especially in recent years? It feels like the era of "blockbuster" Windows malware has just gone silent, and this blog post tries to give some answers why. r136a1.dev/2026/05/07/whe…

The recording of my first Binary Cartography webinar is now public: Agentic Reverse Engineering: How AI Agents Are Changing Binary Analysis Topics: keygenning, cracking & anti-tamper removal Recording: youtube.com/watch?v=DZcDaX… Slides/code/samples: github.com/mrphrazer/bina…

Finding Zero-Days with Any Model provos.org/p/finding-zero…